Mailchimp Security – 3 tips to keep your mailinglists safe

freddy

Mailchimp is a great and versatile web application used by lots of websites, it’s easy and secure. But correct implementation by the developer is needed to keep your subscriber data safe, with so many users using Mailchimp, it’s imporant to correctly implement mailchimp security.

When I was randomly testing a mobile application for security, I found an issue which allowed me to get all the mailinglists and mail subscribers from the companies mailchimp account, my guess is that they’re not the only one who miss-implemented mailchimp, so I thought I’d make an article with 3 tips on how to prevent access to your mailchimp subscribers’ data (Names and E-mailaddresses etc..)

1 Don’t add your API key to your mobile app (or frontend html for website)

2 Don’t add your API key to your mobile app (or frontend html for website)

3 Don’t add your API key to your mobile app (or frontend html for website)

Ok, so it’s only one tip, but it’s a very crucial one, your API key is for your eyes only, if someone with bad intent gets a hold of your mailchimp API key, they will be able to retreive all your mailinglists, and subscriber data!

When I was testing this IOS app (which even got featured by apple), I noticed the “subscribe to newsletter” functionality directly posted the E-mailaddress to the mailchimp api:

fiddler

Low and behold, there is the api key:
fiddler_2

 

Let’s try and get all the mailchimp lists through the mailchimp API:

let’s go to api.mailchimp.com/2.0/lists/list?apikey=(insert api key here)
mailchimp_1

Well that was easy, we now have all the mail lists from the mailchimp account, including their listid.
Now if someone wanted to get the subscribers from the lists all they need to do is go to:

api.mailchimp.com/2.0/lists/members?apikey=(apikey)&id=(listid) and they will get all the subcribers data (first name, last name, email etc.)

Time to find out who this api key belongs to and send them an email 🙂
api.mailchimp.com/2.0/users/profile?apikey=(apikey)

I notified the company, so they can take steps to implement it right, as an example it would be better to send the subscribe post to your own webserver (eg domain.com/subscribe) with the E-mailaddress, and then from your own server code send the subscription to mailchimp with the API key, so the end user will never get to see the API key.

 

  • They Thomas,
    great suggestion. Sometimes it’s scary that these things actually happen in real life. Maybe MailChimp isn’t doing a good enough job explaining that the API key should never ever be exposed in public. Sometimes it’s as well just developers that don’t have a lot of experience working with API keys. At least MailChimp gives you the ability to delete API Keys that have been exposed with a few clicks inside their Dashboard. I have seen Email Marketing Systems that don’t allow you to roll over API keys that easily, so if there is a “breach” you are basically stuck and have to wait for the support to reply. I wrote a very extensive Guide to MailChimp that shows users how to make the most out of it. If I add a section about working directly with the API in the future I will make sure to include your suggestions!

    • Thomas Lang

      Hi Jascha,

      Thanks for your message, yes it is scary, and I have seen a lot of similar security problems in the past 6 months, I hope I can do another article on this (mostly wrong implementation of 3rd party authentication like facebook login, apikeys being used in frontend, or no input filtering on user data..)

      it’s mostly the developers that aren’t familiar with the best practices with these kinds of implementations in general.

      Somehow this isn’t surprising, nowadays there are so many third party tools that developers need to implement in a website (disqus, facebook login, mailchimp, analytics, push messaging, live chat etc..) important steps are bound to be overlooked, that’s why it’s crucial to reserve a good amount of time to review these items.

      Mailchimp does mention it where the api keys are shown:
      https://uploads.disquscdn.com/images/deedc27c26cebcce9862c2fed1d17c28a10d6b80ef64649c66402d6edf65fda5.png

      here is the article they link to: http://kb.mailchimp.com/integrations/api-integrations/about-api-keys#API-Key-Securitye